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Abstract. We prove the unconditional security of a quantum key dis- 
tribution (QKD) protocol on a noisy channel against the most general 
attack allowed by quantum physics. We use the fact that in a previous 
paper we have reduced the proof of the unconditionally security of this 
QKD protocol to a proof that a corresponding Quantum String Oblivious 
Transfer (String-QOT) protocol would be unconditionally secure against 
Bob if implemented on top of an unconditionally secure bit commitment 
scheme. We prove a lemma that extends a security proof given by Yao 
for a (one bit) QOT protocol to this String-QOT protocol. This result 
and the reduction mentioned above implies the unconditional security of 
our QKD protocol despite our previous proof that unconditionally secure 
bit commitment schemes are impossible. 



1 Introduction and Brief History 

One of the most popular application of quantum physics to cryptography is 
quantum key distribution (QKD). In an ideal QKD, Alice and Bob who share 
no secret information initially share a secret string s at the end. An eavesdrop- 
per, typically called Eve, should learn nothing about the secret string s, except 
perhaps for its length. 

In this paper, we prove the security of a QKD protocol against the most 
general attack allowed by quantum physics. This QKD protocol works with a 
noisy quantum channel, an imperfect measuring apparatus, but requires a perfect 
source and a faithful classical channel. A channel is faithful if no one can modified 
a message sent in the channel without being detected. The need for a faithful 
classical channel is not a problem because a secret string sq initially shared 
between Alice and Bob can be used to simulate a faithful classical channel by 
use of an unconditionally secure classical authentication scheme [^(| . We assume 
a perfect source to avoid the technical difficulty associated with many photons 
per pulse. 



* Supported in part by NSERC & FCAR 



Our preliminary version of the protocol uses a random linear code for er- 
ror correction. Random linear codes are very difficult to decode. However, this 
problem can be solved and a version of the protocol using an efficient error cor- 
recting code and with no requirement for a perfect source will be considered in 
the journal version of this paper. 

In addition to QKD, other applications of quantum physics to cryptography 
have been proposed. The most popular are quantum bit commitment (QBC) 
and quantum oblivious transfer (QOT). We briefly review these protocols since 
we shall refer to them in our results. In the bit commitment task from Alice to 
Bob, Alice commits a bit b. Later, if Bob asks Alice to unveil the commitment, 
he receives the bit b. The main point is that Alice cannot change the value of b 
and Bob learns nothing about b unless Alice unveils it. In the oblivious transfer 
task from Alice to Bob, Alice enters a bit b, Bob receives a perfectly random bit 
c and he learns the value of b if and only if c = 0. Alice learns nothing about c. 

The first quantum bit commitment protocol ever proposed is due to Bennett 
and Brassard j|. The authors themselves knew at the time that this protocol 
is insecure. Other quantum bit commitment protocol have been proposed, but 
none of them could be proven unconditionally secure. In fact, it has been shown 
recently that unconditional security for quantum bit commitment is impossi- 
ble |l9|, ^0). A proof of computational security for a quantum bit commit- 
ment protocol is still possible, but none is currently available. The absence of a 
provably secure bit commitment is unfortunate because all the known quantum 
oblivious transfers are built on top of bit commitment, that is, they use quantum 
bit commitment as a sub-protocol. 

The first quantum oblivious transfer protocol which would be secure if im- 
plemented on top of a secure bit commitment protocol has been proposed by 
Crepeau [Q . Its security against most but not all reasonable attacks allowed by 
the current technology has been shown in || . The first proof that considered the 
most general attack allowed by quantum physics, including the so called coher- 
ent measurements on many photons at a time, has been obtained by Yao p7| . 
Yao's proof is an important step and provides useful techniques, but it provides 
no security because, as for all the previous proofs , it requires a secure bit 

commitment and none has yet been proven secure. 

Now, we are back to QKD. The security of a QKD protocol against most but 
not all reasonable attacks allowed by the current technology has been established 
in H m . In jl?]] , we have reduced the unconditional security of any QKD protocol 
of a certain kind to a proof that a corresponding String-QOT protocol would 
be unconditionally secure if implemented on top of an unconditionally secure 
bit commitment scheme. A QKD protocol of the appropriate type is associated 
with a corresponding String-QOT protocol. The standard QOT protocol in Yao's 
proof turns out to be associated with a QKD protocol of the appropriate type. 
Therefore, the unconditional security of this QKD protocol is obtained from the 
above reduction. However, there are two problems with this protocol. First, the 
QOT protocol in Yao's proof is a standard one bit QOT, therefore only one 
secret bit is returned in the QKD version. One can repeat the protocol n times 



to obtain a secret string of length n, but an initial secret key sq is required to 
simulate a faithful classical channel and, therefore, each execution of the protocol 
uses more secret bits than it returns back! Second, the QOT protocol in Yao's 
proof, and thus the corresponding QKD protocol, requires a noiseless quantum 
channel and a perfect source. 

In this paper, to pursue the original idea of fll7|] , we extend Yao's proof to a 
String-QOT protocol associated via the above reduction with a "strong" QKD 
protocol. Therefore, we have the unconditional security of this QKD protocol. 
This QKD protocol returns a secret string s that is longer than the required 
initial string so- Also, it works in a noisy quantum channel. Note that our proof 
for this QKD protocol considers any kind of errors in Bob's apparatus because 
we give full control over both the channel and the apparatus to a dishonest Bob 
in String-QOT. 

It is shown in || that the security of any OT protocol implies the security of 
a String-OT protocol. In particular, the security of the QOT protocol in Yao's 
proof implies the security of a String-QOT protocol. However, the security of the 
resulting String-QOT protocol does not imply the security of a QKD protocol via 
the above reduction because it is not of the required type. Yao did not mention 
the possibility of generalizing his proof to the String-QOT case. It should be said 
that Yao was not aware of the above reduction (or did not believe it) at the time 
he wrote his paper p7| . Yao has announced in p7| that in the journal version of 
his paper the QOT protocol will work on a noisy channel but our String-QOT 
protocol has been designed to work on a noisy channel without much additional 
effort. 

2 Related results 

The main problem that one must address in the design of a QKD protocol is 
that Alice and Bob must exchange quantum systems, let say photons, and there 
is no way to distinguish interaction of these photons with the environment and 
interaction of these photons with Eve's measuring apparatus. Therefore, Eve can 
always succeed to entangle her measuring apparatus with the exchanged photons 
without being detected. Later, if these photons are used to define the shared key, 
Eve can obtain information about this key. However, using privacy amplification 
techniques, one can make this information arbitrarily small. For example, in the 
QKD protocol considered in this paper, a classical string w' S {0, 1}^ is stored 
in N photons traveling from Alice to Bob. Because Eve can obtain information 
about w' , privacy amplification must be used to distill from w' & shorter but 
secret string b = h{w'). Privacy amplification is an essential part of any QKD 
protocol. Privacy amplification in the QOT protocol of Yao's proof corresponds 
to the fact that the secret bit is the exclusive or of all the bits of w'. 

Much after the BB84 protocol of Q have been proposed, Ekert suggested a 
scheme in which EPR pairs are created and the photons in each pair are split 
between Alice and Bob p!B| . In this EPR scheme, no information is stored in 
the photons before they are sent, therefore one would hope that no information 



can be extracted by Eve. However, Eve can still entangle her apparatus with 
the photons and it has been shown that the kind of attacks that could work 
against the BB84 scheme correspond to attacks that would work against this 
EPR scheme [|| . This result highly suggested that EPR pairs might not be useful 
for quantum cryptography. 

However, recently Deutsch, Ekert and al. proposed another EPR-based pro- 
tocol with a new element, an entanglement purification procedure also called 
in this context a quantum privacy amplification procedure Entanglement 
purification (9) allows Alice and Bob to generate, from any supply of pairs of 
photons with non-zero entanglement, a smaller set of maximally entangled EPR 
pairs whose entanglement with any outside system, including Eve's apparatus, 
is arbitrarily low. Deutsch, Ekert and al. reasonably argue that their protocol 
is unconditionally secure against the most general attack allowed by quantum 
physics. An interesting point is that privacy amplification is done at the quan- 
tum level, and one can hope that this kind of privacy amplification procedure 
is more efficient. On the other hand, working prototypes for protocol that use 



simple quantum coding schemes already exist |24|, |25|, 22 |23|, |16|, whereas the 
technology required for this EPR-based protocol is not yet available. 

Let us emphasis that in a security proof for a QKD or a String-QOT protocol 
one must consider carefully the criteria to reject or accept an execution of the 
protocol. This criteria always exists for a given lower bound on the length of the 
shared key or string. In the case of our String-QOT protocol, Alice must detect 
less than Sn errors. One must show that this criteria implies that the cheater 
cannot succeed. This analysis is difficult in the case of the most general attack 
allowed by quantum physics and to our knowledge only Yao's paper ETj deals 
rigorously with this issue. 

The purpose of quantum cryptography is not only to prove the security of 
protocols. We also want to design more efficient protocols and see how efficient 
are these protocols in theory and in practice. Biham and Mor have obtained the 
maximal theoretical efficiency of the QKD protocol of against a restricted 
but still reasonable type of attacks |1(J. Furthermore, it is reasonable to believe 
that we could eventually prove that the security parameter required against this 
restricted type of attack is not too far from the security parameter required 
against the most general attack. 



3 Some algebra 



Typically, a quantum protocol involves many systems and each system is as- 
sociated with its own Hilbert space TC also called a state space. For example, 
the polarization of a photon is associated with a two dimensional Hilbert space. 
The inner product of H evaluated on (|</>), £ H 2 is denoted (4>\ip)- For every 
vector \<f)) £ H, let : H — > C be be the linear functional on H which, when 
evaluated on any vector \tp) £ H, simply returns the inner product {4>\ip). For 
obvious reason, \<j>y is more conveniently denoted (<j>\. In terms of matrices, one 



represents a vector GHasa column matrix. The operation "f" on a matrix 
is simply the transpose conjugate, therefore (ip\ is represented by a row matrix. 

The space of linear functional on TL is denoted TO . It is called the dual 
of TL. The inner product of TL is also an operation on the cartesian product 
TL^ x TL. This operation can be generalized to any cartesian product of the form 
Q\ x . . . x Q n where each space Gi occurs only once and is either a state space 
TL or its dual. We simply let any functional {<p\ G Gi = TL) operate on the state 
IV') G Gj = ^ to its right, if one exists. Every thing else should not be simplified. 
For example, consider &TL\, eTL\, \4> 2 ) E TL2 and (^2) G TL\. We have 
(ih \<h) \<h.)(ifa 1 - Ai|^2>(02| where Ai = <Vi|^>i) € C The object M = \^ 2 }{h\ 
cannot be simplified, but it can operate on other objects. For instance M on 
|»72> <03 1 eTL 2 xTLl returns | -02) (02 1?72> (03 1 = ^\i>2) (<h\ where A 2 = (02 1^) € C. 

The tensor product Gi ® ■ ■ ■ ® G n can be interpreted as the span of the 
product Qi x . . . x Q n . If |</>i)|0 2 ) and IV'i)!^) belong to Hi x TL2 then the 
sum |<^i)|^2) + l^i) 1^2) belongs to TL\ ® H.2- A formal definition of this tensor 
product is usually not so enlightening, so none is given here, but the basic idea is 
simply to extend by linearity the operations that are defined above. Two objects 
that cannot be distinguished via these operations (neither as operators or as 
operands) are considered to be identical. One should notice the following rules: 

— For every TL, every pair of objects in TL U TO does not commute, but every- 
thing else commute. 

— Because {4>\tp) — (ip\(f))*, where "*" denotes the complex conjugate, we have 

\im\ 2 = (mm) = (mm)- 

— For any objects Mi, . . . , M n , we have (M 1 . . . M„)t = M\ . . . M\. In partic- 
ular, (|^|)t = |<£)(# 

The trace of an operator M e TL ® TO ', i.e., from TL into TL, is defined by 
Tr(M) = J2 a (i>a\M\tp a ) where {IV^a} is anv orthonormal basis of TL. This 
definition is independent of the basis {IV'a)}- 

For z,z' E {0,1}™, (z z') G {0,1}" is given by (z © z') l = z l z[ = 
Zi + z[ (mod 2), and z z 1 = ®i(zi x z-). The set {0, 1} with the operation © 
and the ordinary product is a finite field denoted GF(2). The set GF(2) n with 
the operation © is a vector space over the field GF(2). Let / be a m x n boolean 
matrix and z a boolean string of length n, the product fz is the ordinary matrix 
operation with the sum modulo 2 where z is seen as a boolean column matrix. 

4 Quantum preliminaries 

The state of a system, also called a pure state, is represented by a vector \tp) of 
norm 1 in the associated Hilbert space TL. The state space of a system made of 
n subsystems with state spaces TL\, . . . , TL n is the tensor product TL\ ® . . . tg) TL n . 

A completely refined measurement on TL is a set of outcomes v where every 
outcome v is associated with a vector \4> v ) G TL, but here the norm could be 
anything between and 1. The probability of v given the initial state l^} G TL 
is simply K^jV')! 2 = (<j> v \ip) (ip\(f) v ) . The only requirement on the states \cf) v ) is 



that J2 V \4>v)((t>v\ = I, the identity operator. This is equivalent to say that, for 
every initial state \ip), the sum of the probabilities over the outcomes v is 1. 

The final quantum state left after the measurement is some state \v) which 
should not be confused with the vector | </>„). The operation associated with v is 
given by M v — \v){<f> v \. One may check that the probability of v given the initial 
state \ip) is ||My|^)|| 2 , the square of the norm of M v \ip). The final state \v) can 
be anything because just at the end of the measurement one is free to store the 
residual quantum information into the final state \v) of his choice. If Q = {\4> v )} 
is a basis of H, a measurement in the basis ft is simply the measurement that 
associate v to \<p v ). Such a measurement is called an orthogonal measurement. 

Now, let us generalize to incomplete measurement the above definition. The 
most general measurement on H is a set of outcome k where every outcome k 
is associated with an operator Mk on H. The difference with a complete mea- 
surement is that Mfc is in general a sum Mk = J2 V \ v ){^v\ rather than only a 
rank one operator Mk = \k)(<j>k\- The only requirement on the operators Mk is 
that J2 k M l M k = 1 Th(3 

image of Mk can be any sufficiently large state space 
Hk, because just at the end of the measurement one is free to store the residual 
quantum information into the system of his choice. For example, the quantum 
information can be send from the state space of a photon into the state space of 
an atom. The probability of k given an initial state is ||Mfc|^)|| 2 . 

Every measurement M on a state space H which returns an outcome k can 
be refined by executing another measurement M' on Hk ■ The new measurement 
M' may depend upon k. Let M' v be the operation on Hk associated with the 
outcome v of M'. The operation on the original space H associated with the 
overall outcome (v, k) is simply M( v ^ k ) = M' v Mk- 

If a quantum preparation contains a pure state \tp a ) with probability p a , 
then one may conveniently represent this preparation by the operator p = 
J2 a P a IV'aXV'al- The idea is that the probability of v given the preparation 
represented by p is simply (4> v \p\ 4>v}- This works even if the initial states \tp a ) 
are not orthogonal. Note the important fact that two distinct preparations may 
correspond to a same density operator. Even for an incomplete measurement on 
a given preparation, one may use the density operator p of this preparation to 
compute the probability of an outcome k. We have that Pv(K = k\p) = Tr(IIkp), 
where Ilk — MlMk- This trace is linear on Ilk and linear on p. Therefore, it 
is often advantageous to work with Ilk and p rather than with Mk and \ip a )- 
The matrix representation of the operator p in the basis {|^ a )} is defined by 

{P)a,a> = (V'aMVv)- 

In accordance with the BB84 coding scheme, the states |0)+, |0) x , |1) + and 
1 1} x corresponds to one photon polarized at 0°, 45°, 90° and —45° degrees respec- 
tively. Note that + and x corresponds to the bases {|0} + , |1} + } and {|0) x , |1) x } 
respectively. For every 9 G {+, x}™ and every w £ {0, 1}™, \ip Wl e) denotes the 
product state \wi)e 1 . . . \w n )e n - For any set of positions E = {71, . . . , 7jv}, let 
w[E] be the string given by w[JS]j = w lil 1 < i < N, and let IV'w.e^]) be the 
product state ■ ■ ■ \wi N )e iN for the photons with position in E. 



5 The String-QOT protocol and its security 



The QOT protocol considered by Yao in ||27[ is a variant of the QOT protocol 
which has been first proposed by Crepeau |fll|, [l2[ and improved later in ||, [T^| . 
We consider the natural generalization of this single bit QOT protocol to a 
string QOT. In this String-QOT protocol, n is the number of photons sent in 
the protocol, b is the string sent by Alice, m is the length of b, r is the number 
of redundant bits needed for error correction, and N = [.24n\ is the length of 
the string shared between Alice and Bob before privacy amplification. 

STRING-QOT(6) 

1. Alice picks a random uniformly chosen (r + m) x N boolean matrix / where 
the r first rows define a matrix g used for error correction and the m following 
rows define a matrix h used for privacy amplification (see step 0) . 

2. Bob picks a random uniformly chosen 9 = 9\ . . . 9 n G {+, x}" and makes a 
quantum commit of all 9i to Alice. 

3. Alice picks a random uniformly chosen w G {0,1}", a random uniformly 
chosen 9 G {+, x} n , and sends to Bob n photons in the state \ipw,e)- 

4. Bob measures every photon i in basis 9i 1 record the results ibi and makes a 
quantum commit of all n bits tbi to Alice. 

5. Alice picks a random uniformly chosen subset R C {1, . . . , n} and tests the 
commitment made by Bob at positions i G R. If more than Sn positions 
i G R reveal 9i = 9i and Wi ^ Wi, then Alice stops the protocol; otherwise, 
the test result is accepted. 

6. Alice announces the string 9. Let To be the set of all i with 9i = 9i, and let 
T\ be the set of all i with 9i ^ 9i. Bob chooses a set Eq C Tq — R, a set 
Ei C Ti — R, where \Eo\ = \E\\ = N, and announces {Eo,Ei} in random 
order to Alice. 

7. Alice chooses at random a set E c G {Eq,Ei}. For error correction, she an- 
nounces the matrix g and the string s — gw[E c ]. For the computation of b, 
she announces the matrix h and the string a — b © (hw[E c ]). 

8. If c = 0, Bob obtains ui[£" c ] by correcting the errors in u>[iiy, then he 
computes the intermediary string t — hw[E c ] and obtains the string b via 
b = a © t. Ifc = 1, Bob obtains no information about t and, thus, no infor- 
mation about b. 

Yao's QOT protocol is exactly as above, except that r = 0, m = 1 and the 1 x N 
matrix / is (1,1,. ..,1), that is, there is no error correction and there is only one 
secret bit t = t\ which is the exclusive or of all the bits in w[£" c ]. 

The QKD version is identical to the String-QOT protocol, except that Bob 
announces Eq to Alice rather than {Eq,Ei} and Alice always chooses c = 0. In 
this paper, we shall only consider attacks that correspond to attacks that may 
be executed by Eve in the QKD version. Clearly, Eve has no control over the set 
E (and E{), so we shall assume that Bob constructs Eq and E\ as specified in 
the protocol. The case in which there is no restriction on Eq and E\ is not more 
difficult, but we don't need it to obtain the security of the QKD protocol. 



In most cases, a random variable is represented by an upper case letter, 
whereas the value taken by such a variable is represented by a lower case letter, 
for instance, the bit c is the value taken by a random variable C. However, if 
the value itself is represented by an upper case letter which is typically the case 
when the value is a set, we use bold face typesetting for the random variable to 
distinguish it from its value. 

Let V be Bob's view at the end of the protocol. Let Pass be the binary 
random variable that takes the value 1 if and only if the test result is accepted. 
To obtain the security of the above protocol against Bob, for any attack where 
Eq and Ei are honestly chosen, we show that there exists a factor of security 
£ > such that, for any initial distribution of probability on B, I(B; V\Pass = 
1 A C = 1) x Pr{Pass = 1) < 2"f". 

6 Bob's view 

Let us assume that the possible values (b,w,9) of (B,W,&) are stored in or- 
thonormal states \b, w, 8)c- The entire view of Bob can be seen as the outcome 
of a measurement executed on \b,w,6)c\'4'w,e)- This measurement is not exe- 
cuted by Bob alone. For instance, the announcement of 8 by Alice is part of this 
measurement. Furthermore, we shall generously assume that at the end Alice 
announces w[E c ] to Bob. 

Let us analyze the operation M v associated with a view v. We consider a fixed 
value of 8. At step || the measurement operates only on \ip w ,e) and returns w: we 
consider the classical computation of w as part of the measurement executed by 
a dishonest Bob. The corresponding operation on the photons is denoted M^. 
At step [|, R is chosen by Alice and announced to Bob. This has no physical 
effect on the initial state, but still the corresponding operation is Mr = 2~ n I. 
Next, Alice announces the result of the test. This corresponds to a projection 
Ppass on the classical part of the state space. Note that this projection is defined 
in view of w which is obtained from a measurement on the photons. At step [| 
Alice announces 8. The corresponding operation is the projection Pq = \8)(8\c- 
The announcement of E c corresponds to the operation M c = 2 _1 1. Similarly, let 
P s and P a be respectively the projection that corresponds to the announcement 
of s and a. We have that P s projects on the span of the states |u;[-E c ])c such 
that S = s and P a projects on the span of the states \b, w[E c ] )c such that A = 
T(w[E c ]) © b — a. Note that, because Bob could have some initial information 
about 6, the condition A = a may actually provide information about t = b © a. 
Finally, let P w be the projection | w[E c ] ){w[E c ] \c which corresponds to the 
announcement of u>[-E c ] . 

Note that Bob has no advantage in measuring the photons at step |^ (because 
he creates Eq and E\ honestly). So the operation on the photons at step 
U remains the same at step ^. At step [?], Alice announces the information for 
privacy amplification and error correction, but this is under Alice's control and 
operates only on the classical part of the initial state. Certainly, at step ||, Bob 
is free to execute on the residual state of the photons the complete measurement 



of his choice. The final operation on the initial state \b,w,8)c\^ w ,e) is of the 
form M v = 2~( n+1 ^ Pc\v ){4> v \ where \v)(4> v \ operates on \ip w ,e) and Pq is the 
projection P w P a P s Pg on the classical part \b,w,0}c- The projection P paS s does 
not appear because it is implicit in P w Pg. 

7 The small distance property 

In this section, we want to find a property on M v that can be proven using 
the fact that Bob must pass the test. Of course, we also want a property that 
implies that Bob has no information when c = 1. We recall that no more than 
6n positions i for which 61 — 9i and u>j ^ wi are tolerated in the test. 

Let us consider an example in which Bob stores some photons and measures 
them only after that the bases have been announced by Alice. Let e — 86. Bob 
cannot store much more than en photons, because otherwise he will not pass the 
test: half of the photons are used for the test, half of these tested photons will be 
in the correct basis and half of these will create an error. Consider the case where 
Bob stores exactly en photons. Let F be the set of stored photons and F the set of 
non stored photons. To pass the test, Bob measures the non stored photons using 
the committed string of bases 9[F] and obtains w[F]. After that he has learned all 
the classical information that Alice announces, Bob measures the stored photons 
in the correct bases 0[F] and obtains w[F]. The value (w, 8, 9) is fixed in the final 
view v and the corresponding vector is \<f> v ) = \ip^ §[F])\ip w ,e[F]). 

In which way the dishonest vector \(j> v ) = \ip * §[F])\ip w ,e[F]) is close from 
the honest vector \<f) v ) = \ip^§)f If we expand the state §[F])\ip w ,e[F]) in 
the basis {\ip^ § )}, we obtain \tl> a! §[F])\i(} Wt g[F]) = Ea A °#a,e) where A « ^ 
only if we have a[F] = w[F]. In particular, X a ^ implies d(a,w) < en. Of 
course, Bob could choose the photons that he stores at random and in view of 
the previous outcomes. In this case, we cannot expect that, for some fixed set 
F, X a ^ implies a[F] = w[F]. However, it is still reasonable to expect that 
X a =/= implies d(a, w) < en. That is, the state \<p v ) must be in the span of the 
states \ip a g) with d(a, w) < en. This is exactly the property that is called the 
low weight property by Yao ^7j. In Yao's proof, e = 1/40. The test of the QOT 
protocol in Yao's proof tolerates no error at all: 6 = 0. However, Yao's proof 
works exactly in the same way even when 6 > 0. In section [Io| we shall briefly 
sketch an alternative proof. 

Let us formulate the low- weight property in terms of M v and the set E c . We 
consider E c because it contains the relevant positions. Let E C {1, . . . ,n} be 
any set of positions and e be some small positive number. Let dsia, a') = G 
E | on ^ a'j}. If E = {1, . . . ,n}, then dE(cv, a') is the usual Hamming distance. 
We denote Li[E,en] the span of the states \ip g) where d^(o!, w) < en. We 
denote L [E,en] the span of the states §) where ds(cc, z) > en. We denote 
Pj[E, en] the projection on Lj[E, en]. 

Let Pq = Po[E c ,en] and Pi = P\[E Cl en]. A vector \(f>) in the state space 
of the photons has the en-small distance property if and only if Po\4>) = 0. 



In other words, it must be in Lx[E C) en]. The operation M v has the en-small- 
distance property if and only if, for every (b,w,9), M v Pq \b,w,0)c\tpw,e) — 0. 
The small-distance property corresponds to what Yao calls the low-weight prop- 
erty in [^7). Note that Yao defines the low weight property in terms of all the 
positions, not only those in E c . This difference is not so important: it is clear 
that . . . , n}, en] is a subspace of Li[E c , en], so Yao's low-weight property 

implies the small distance property. 

8 Using the small distance property 

We now show that if the small distance property holds and c = 1, then v provides 
no information at all on b. This corresponds to a generalization of lemma 1 in 
Yao's paper p7| . The minimum distance of a code C is the minimum Hamming 
distance d(c, c') where c and c' are distinct codewords in C. Let Cq be the span 
of the (r + to) rows of the matrix / seen as vectors in GF(2) JV . Let dN be the 
minimum distance of Cq. Because the matrix / is chosen at random, for any 
1) > 0, except with negligible probability, we have d > iJ _1 (l — ^-jp-) — n, where 
H(x) = -(x\g(x) + (l-x)lg(l-x)). 

Lemma 1. If en < c — I and M v has the en-small distance property, then 
the outcome v provides no information at all on the string b. 

Proof. The basic idea is to show that, for a fixed v such that c = 1, the prob- 
ability of V — v given B = b, denoted p(v\b), is the same for all b. For every 
{w',9'), let p(v\b,w',9') = Pr(V = v\B = b A W = w A O = 6'). We have that 
p(v\b) = ■i- n J2 w ',e'P( v \ b ^ w '^')- Now - let V v,b be the set of pair (w',6') such 
that 

P c \b,w',8') c ^0. (1) 

Equation (0) must hold if we want to have p(v\b, w' , 0') ^ 0. Since, we are only 
interested in (w',9') that contributes to p(v\b), in what follows we only consider 
the pair (w',0') in V v ,b- We obtain that Pq operates as the identity operator 
on \b,w',6')c- Furthermore, one may easily check that (Q) implies that we can 
express the en-small distance property on M v via the following equation. 

(<^|Pob/v,0') = O. (2) 

Because of these two facts, from hereafter we can ignore the classical part of 
the initial state in our computation. Now, equation (|lj) implies w'[E c ] — w[E c ], 
0' = 8, gw[E c ] = s and hw[E c ] = t = b © a. The two last constraints can be 
written in one equation f w[E c ] = x where x is the concatenation of s and t. 

def 

The only degree of freedom is = w'[E c ] restricted by f(3 = x. Let C x — 
{(3 e {0, 1} N I f[3 — x}. There is a one-to-one correspondence between the 
strings (3 G C x and the pairs {w',6') G V v ,b- Let p(y\(3) — p(v\b,w' ,9') and 
\i>p s) = \ipw> 9')- Ignoring the classical part of the initial state and using (^) we 
obtain p(v\P) = |(^|^)| 2 = \(MPo + Pi\^9)\ 2 = |<^|Pi|V/3,e}| 2 . 



Now, we would like to restrict our analysis to the photons with position in 
E c . One may insert the projection P = \ip Wt e[E c ])('^w,9[Ec] | in front of the 
state |"0/3,e) because this projection is implicit in the definition of this state. One 
obtains p(v \(3) — K^I-Pi-PlV^.e)! 2 - These two projections commute, so we obtain 
p(v\l3) = |<^|Pi|Vv3,e>| 2 ^where \4>' v ) = P\4> v ). Note^that \0' v ) = |^«,fl[^c]> W> 
and \4>/3,8} — \ipw,e[E c ])\ipp,e) where both and V/3, e) are states for the pho- 
tons with position in E c . We obtain that p(v\f3) = {4>"\Pi 1^/3, e) | 2 = \(<fiv\4>f3,e)\ 2 
where \<f> v ) = P\\<f>'l) has the en-small-distance property. Now, consider the den- 
sity operators p x = 2 _fe X}flec a , Wp,e)wp,e\ where k = N — r — m. We shall 
show that these density operators cannot be distinguished by any state \<p) that 
has the en-small distance property. In section ^, it is shown that, in the con- 
text E c — E\, for every (3 € C x , the matrix representation of p x in Bob's basis 
{\4> a <j) |a€{0,l} w } is given by 



{Px)a,a' — 2 X 



if (a © a') # Qf 

(-l)(«©«')®/3 otherwise 



For every pair of distinct strings x,x' €E {0, l} m+r , we have that a necessary 
condition for (Ap) a , a r = (p x ) a , a ' — {px')a,a' ^ is that (a © a') belongs to Cg 
and is different from 0. Therefore, a necessary condition for (Ap) a ^ a i ^ is that 
d(a, a') > dN . Therefore, for every (a, a') such that (Ap) a ^ a > ^ 0, one of \ip a g) 
or \tp a , g) belongs to L [E,en}. We obtain 

(tt>\Ap\4>) = Y^( A P)«>«WK6)$a> t 6 W = 

a, a' 

This concludes the proof. □ 



9 The density matrices 

In this section, we consider only the photons with positions in E\ = E c . There- 
fore 9 is the opposite of 9, that is, (Vi) 6{ ^ 0j. We temporarily remove the tilde 
over the symbol ip. It is as if we considered the general situation where N photons 
are sent from Alice to Bob in a string of bases 9 e {+, x } N and we want to find 
the matrix representation of the density operators p x = 2~ fc ^^ gC , \^ P fi) ,s\ 
in the opposite basis {\ip a §)}■ We need some basic tool. For every vector /3 e 
GF(2) Ar , the mapping /?' i— > j3' ©/3 on GF(2) Tl corresponds to a unitary transfor- 
mation Up on the state space of the photons defined via Uptypij) = \' t P/3®/3',e)- 
One may easily check that, for every position i where = 1, the transformation 
Up maps |0}g into itself and into — . So, if there is an even number of 
positions i where cti — Pi = 1, we have Up\ip §) = \ip §), otherwise, we have 
UfM^a i) ~ ~\^a §)■ ^ n terms of the operation on the vector space GF(2) n , 
we have 



For every (3 € C x , we have C x — Cq © [3. Therefore, for every /Jed, 

Px = UppQUp, (3) 

where we have used Ul — Up. For any operator p and any /3, one may easily 
check that, in Bob's basis, 

(U{,pUfj) a , a , = (^l)(«® Q ')0/3 x ((0)q q ,. (4 ) 

Therefore, in view of (j^) and (^|), we are done if we have the matrix representation 
of the density operator pg in Bob's basis. 

Let k — N—m—r and {(3i, . . . be a basis of Cq- For every j = 1, . . . , fe, let 
be the span of ... and = 2~ J X)/3gcu> iVfoe) ('0/3,0 1- Note that 
pn = p^ and Cq = C^. We shall show by induction on j, that for j = 0, . . . , k, 



if (a © a') g C^- 1 

1 otherwise 

The case j = can be easily computed: = {0} and = GF(2) n . We 

assume that (0) holds for j and obtain it for j + 1. Because C^ +1 ^ = U 
(C (j) © we have that 

p^ = l/2(p^ + U 0j+1 p^U 0j+1 ). (6) 
Therefore, using formula ^, we obtain 

(p [3+1) ) a , a > = l/2(p«) Q , Q ,(l - (-l)(«ffi«')0ft + x). 

Note that {p u+1) ) a , a < is either or 2~ N . We obtain that (p u+1) ) a , a > = 2~ N if 
and only if (p U) ) a , a > # and (a © a') f3 j+1 = 0. So, (p (j ' +1) ) Q , Q < = 2"^ if and 
only if, for every (3 G C« +1 ', (a © a') © /3 = 0. This last condition is equivalent 
to (a © a') 6 C <J+1 ' ± . This concludes the induction. Using the density matrix 
of pq = p^ k \ together with formula || and |[ we finally obtain that, for every 

e C*, 

_ jy JO if {a © a') £ Ctf- 

(Px) a , a > -Z x | ( _ 1)(aea0 ^ Qtherwise 



10 Proving the small distance property 

Consider an example where Bob chooses a random bit OK and stores all the 
photons when and only when OK = 1. In this case, Bob passes the test with a 
probability a little bit greater than 1/2 and the small distance property holds 
with probability 1/2. The point is that we should not expect that, if Bob has a 
significant probability to pass the test, then the small distance property always 
holds. In this example, except with negligible probability, the small distance 
property holds when Bob passes the test. 

Consider another example where Bob commits 9 — + n , measures every pho- 
ton in a fixed basis 9' and commits the outcome w. The fixed basis 9' cannot 



be too far away from + because otherwise Bob will not pass the test. With- 
out loss of generality, assume that the magnitude of + (0|0)e' = = cg> 
is close to 1 and the magnitude of + (0|l)e' = +(l|0)e' = sqi is close to 0. The 
value w is included in v and \4> v ) = \ifiw,9'}- If we expand \<j) v ) in Bob's ba- 
sis + n we obtain \<f> v ) = Y^ a (^a,+ n \^w,e')\ipa,+ n )- Note that (ip a ,+n \ipw,e') \ = 
|s e ,| d ( a >*) x \de>\ n - d( - a ' ,h) . So |Aa| = \(ip a , +n \ipu,,e')\ is very small when d(a,w) is 
large. In this second example, the small distance property does not hold, but it 
almost holds. 

Now, we briefly sketch a proof that, for every strategy used by Bob, except 
with negligible probability, if Bob passes the test, then the small distance prop- 
erty almost holds. A complete proof is found in [^7|. Let 7 = 10~ 6 and Info be 
the binary random variable that takes the value if and only if 

\\M v P Q \^ w> e)\\ 2 <2-^ n \\M v \^ w>e )\\ 2 . 

The condition Info = means that, for all practical purposes, we can use the 
small distance property, obtain (||), etc. in our proof of lemma |l|. 
So, we want to obtain that if Pr(Pass = 1) > 2 fn then 

PrO/o = 1 I Pass = 1) < 2-i n . (7) 

The variable Info concerns the final view of Bob. It is easier to consider the 
situation just after the announcement of 9. Therefore, let us consider the ratio 

/ n n ~n Tr (-Po Pt{ P ass,9,R,w) Pq P) 

r{pass, 9, R, w) = — — — r 

J-F(ii (pass, 9,R,w) P) 

where p is Alice's preparation and il^^^^j = M^ pass ^ R ^ M^ tPass ^y We 
shall briefly sketch why Pr(Pass = 1) > 2 -27 ™ implies that 

(r( P ass, 9, R, w)) Pass =1 < 2~ 2 T" (8) 

where (r) p ass — 1 denotes the expected value of r in the context Pass — 1. This do 
the job because Pr(Pass = 1) > 2~ 7n implies that Pr(Pass = 1) > 2" 27 " and 
expanding the expected value (r(pass 7 9,R,w))p ass= i and after some algebra, 
one obtains that implies (Q). One may check that 

Tr(n( pasSi e,R,w) p) = p(pass, 9, R, to) 

\M^P pass [T nR,Sn}\^ a§ )\\ 2 (9) 



Tr(P iI( pass ,K,e,i&) Pq p) = 8"™ II M - P passlTo n R, Sn] P \1> ai§ ) || 2 (10) 

a 

where P paS s[To H R,6n] refers to section 0. The right hand side of (||) and ( |io| ) 
can also be obtained from the following definition of Pass, <9,R and W. Alice 
chooses 9 and R as usual, but prepares a perfectly random state \tj> ») using 

9 rather than 9. Bob measures in the bases 9 to obtain a and then executes 
Mu> to obtain w. Finally, Alice announces R and 9. Let J[E,rn] = if and 



only if d,E{ot,w) < rn, and let Pass = J[To D R, 5n]. The values of (Q) and ( ^0|) 
are respectively Pr(<9 = 9 A J[T H -R, <5n] = pass A R = JJ.Aff = ti) and 
Pr(J[£ c , e]=0A(9 = 6>A J[T n i?, <5n] = pass A R = R, A W = w). Equation | 
simply means that Pr(J[E c , e] = | J[T DR,6]=1)< 2"^" '. So, it is sufficient 
to show Pr( J[E C , e] - OA J[T n i?, 5] = 1) < 2- 4 ^™. For an appropriate e > (5, 
this is not hard to show. This concludes our sketchy proof of this section. 

We are grateful to Eli Biham, Gilles Brassard, Claude Crepeau, Christopher 
Fuchs, Tal Mor and Andrew Yao for fruitful discussions. We especially thank 
Tal Mor and Eli Biham for showing us preliminary version of J7| and a prelimi- 
nary and partial version of [ [To| ] . These did not yet consider the density matrices 
approach for the case r > or m > 1, but contained the density matrices for 
the case r = and m — 1. At the time, we also had these density matrices, but 
the way they presented it helped us to make a guess on the shape of the density 
matrices when r > and m > 1, and this guess has been a great help in our 
computation. Our guess has also been proven independently in later versions of 



10 in the context of the collective attack. 
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